When given a theorem, find_names finds other names the theorem appears
under, via matching on the whole proposition. It will not identify
unnamed theorems.
This patch adds a generic "post_cap_deletion" step that is called by
finalise_slot. Previous to this, the only caps which had actions
required at this stage were IRQHandlerCaps -- it was required that the
IRQ bitmap be updated after the cap itself was removed (as the
invariants state that for any existing IRQHandlerCap, the corresponding
bit in the IRQ bitmap must be set).
By genericising this, we add the capacity for new, arch-specific post
cap deletion actions to occur in the future.
Including version information in the spec document is tricky, because
Isabelle will rebuild the session whenever it sees that session inputs
(including document sources) have changed. Since ASpec is close to the
root of our session hierarchy, frequently changing version information
causes excessive rebuilds during development.
This commit avoids excessive rebuilding by building the document (with
version information) in a separate ASpecDoc session. The ASpecDoc
session is identical to the previous version of the ASpec session, but
is not the parent of any other sessions. The ASpec session is used as
the basis for other sessions, but has document-only inputs removed, and
also has document builds disabled.
This partially reverts a recent change which adds these.
Unfortunately, including the ARCH and git-id files in the ROOT file
causes frequent rebuilds during development. For example, adding a
commit that changes only CRefine would cause a change in the git-id
file, which would in turn trigger a rebuild of ASpec and everything that
depends on it. Because the git-id file also noted uncommitted changes,
these would also trigger an ASpec rebuild. Similarly, switching to a
different L4V_ARCH would cause the ARCH file to change, also triggering
an ASpec rebuild.
Since Isabelle makes it difficult to include this information in the
document without adding these files to the ROOT file, this commit is
removing this information until we find a better way.
message_info structs have 20 bit labels. On 32-bit systems, the label
does not need to be masked as there are no extra padding bits in the
struct, but this is not true for 64-bit systems. As a result, the
haskell needs to mask msgLabelBits (=20) when extracting the label in
messageInfoFromWord.
It's just a parser tweak for crunch, and runs multiple crunch commands
with the same sections (wps, ignores, etc).
Also update the comments a little, and move them closer to the anchor of
command clicks (the @{command_keyword} antiquotation).
- timeout_output looks for isabelle relative to its file path
- run_tests looks for timeout_output relative to its file path
- output from timeout_output is utf8-decoded before attempting to
concatenate with other strings
Meta-regression should now pass.
Changes to the C kernel to mitigate the Meltdown vulnerability have
removed x64KSCurrentCR3, and replaced it with other state. As a
temporary fix, this commit removes references to x64KSCurrentCR3 from
the C state relation to keep existing proofs working.
For x64 verification, this ultimately needs to be replaced with a
relation on the new state that has been added, and the specs updated
accordingly.
- this commit introduces the name "simple kernel object (simple_ko)" for generic (non-arch) kernel objects that are not tcbs or cnodes. For the master l4v, endpoints and notifications are the simple kernel objects.
- simple kernel objects are simple, for instance in the sense that they don't have recursive structure and their validity is defined without using a pointer.
- he setter and getter for simple kernel objects are defined. These replace the specific getters/setters for endpoint and notification. Consequently, almost all wp rules for the two sets of getter/setter are also replaced by the ones for simple kernel object getter/setter.
in addition to the a_type ATCB simplification, the following two are now in the simpset:
"a_type (Endpoint x) = AEndpoint"
"a_type (Notification v) = ANTFN"
The strengthen implementation can now do a bit more.
The new method strengthen_asm also adjusts assumptions.
The new method strengthen_meth takes a method as a parameter,
e.g. apply (strengthen_meth \<open> rule order.trans \<close>)
does the same thing as apply (strengthen order.trans)
with scope for other exciting applications I haven't thought of.
This change was a result of the constant "(tcb_t*)~0" being defined as
0x00000000FFFFFFFF on x86-64 (0 is implicitly a 32-bit integer) rather
than 0xFFFFFFFFFFFFFFFF as expected.
This removes an ifdef present in invokeTCB_(Copy|Write)Registers, and
adds the function Arch_postModifyRegisters which does nothing on any
arch except x86-64.
Rafal Kolanski
Joel Beeren
Matthew Brecknell
Thomas Sewell
Miki Tanaka
Matthew Fernandez
Gerwin Klein
Michael Sproul